Yubikey 4 for SSH with physical presence proof

Jan 28, 2016,
Categories: security

This is another post in the series of how to protect SSH keys
with hardware, making them impossible to steal.

This means that you know that your piece of hardware (e.g. Yubikey or
TPM inside your laptop) was actively involved in the transaction, and
not, say, turned off and disconnected from the Internet at the time
(like in a safe or on an airplane).

What’s new this time is that we can now have a physical presence test
on every use of the key. That means that even if someone hacks your
workstation completely and installs a keylogger to get your PIN,
unless they also break into your home they can’t use the key even
while the machine is on and connected. Evil hackers in another
country are out of luck.

Intro

Most of this is a repeat of official docs (see references).

If it looks like a command is hanging, check to see if the Yubikey is
flashing. If it is, then touch it.

The touch feature is optional. If you don’t want a key to require it,
you can chose to generate a key that doesn’t.

If you get “no smart card readers found”, open
/etc/libccid_Info.plist, and add the vendor (should be 0x1050),
product (0x0407 or near there) and “Yubico Yubikey 4 Something” as the
first entry in ifdVendorID, ifdProductID and ifdFriendlyName
arrays respectively. The actual vendor and product codes you can see
by running lsusb. Then restart pcscd and try again.

Change the PIN and the PUK.

They default to 123456 and 12345678 respectively.

The PIN will be asked for by the user, and the PUK is used in case the
user locked themselves out by failing to provide the right PIN too
many times. Three times by default.

If you lose your PIN and PUK you can reset the Yubikey by first
spending all your PIN/PUK attempts, and then running

yubico-piv-tool -a reset

You may want to set the management key too. See this
matrix
for details about what PIN is used for what. In short, if you are a
hobbyist then I’d say you don’t need to set the management key. If you
are the security department for your organization and you’re handing
out these Yubikeys, then you probably do. You don’t want your users to
change the number of PIN retries they’re allowed, for example.

Generate a key

The second command here requires a touch. Check for the Yubikey blinking. The
first command is not waiting for touch. It just takes a while to generate
a 2048 bit RSA key.

Touch policy “always” means that every time the key is used it
requires a touch.

The key generation command also takes a --pin-policy that can be set
to “once”. I’m not sure what that means. I would have guessed that
only once per power-up, but when testing I get asked every time, even
if I set it to “never”.